On Tue, 8 Apr 2014, Chris Frederick wrote:

> On 04/08/14 10:13, Erik Anderson wrote:
>
>> It will be interesting to hear pfsense's response to this. I haven't 
>> seen anything from them yet.
>
> This is a very serious bug, and I would highly recommend disabling the 
> OpenVPN until pfSense sends out an update, which I'm guessing won't take 
> too long.  If this was just a website, or smtp server or something, you 
> could probably get by longer.  The script kiddie crowd will be after 
> them, maybe suffer some defacement or something.  But the nature of VPN, 
> giving an external entity access to internal resources, this is where 
> the real attackers will be focusing on, and there's usually a lot more 
> risk involved when VPNs fail.  It's probably better to suffer the 
> downtime and be safe, than have it working and risk a major breach.

I found this info:

https://forum.pfsense.org/index.php?topic=74902.msg408806#msg408806

Mike